As well as ‘busting the myth’ that fresh consent must automatically be obtained from all contacts, it aims to help organisations decide when to rely on consent for processing and when to look at alternatives, explaining what counts as valid consent, and how to obtain and manage consent in a way that complies with the GDPR.

The guidance also sets out how the ICO interprets the GDPR, and its general recommended approach to compliance and good practice.

It says that under GDPR, consent must be ‘freely given, specific, informed, and there must be an indication signifying agreement.:” In addition ‘the indication must be unambiguous and involve a clear affirmative action.’

Organisations must also ensure they tell people that they have the right to withdraw their consent, and have mechanisms in place to enable people to do so easily. The guidance also covers key changes that organisations must make to ensure their consent mechanisms are GDPR compliant.

These include ensuring consent requests are separate from other terms and conditions and not a precondition of signing up to a service unless necessary for that service, that opt-in is active (no pre-ticked opt-in boxes), and that distinct options to consent separately to different types of processing are given wherever appropriate.